Dns-google plugin failure to find managed domains


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certonly
–dns-google-credentials ~/.secrets/certbot/gh-dns-credentials.json
-d ch1.grzhost.com

It produced this output:
PluginError: Encountered error finding managed zone: <HttpError 403 when requesting
returned “Forbidden”>

My web server is (include version): None in this case. I’m working with dns authentication.

The operating system my web server runs on is (include version): Linux Ubuntu 16.04

My hosting provider, if applicable, is: self hosted at HE

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m getting this error:
PluginError: Encountered error finding managed zone: <HttpError 403 when requesting
returned “Forbidden”>

Running this command

sudo certbot certonly
–dns-google-credentials ~/.secrets/certbot/gh-dns-credentials.json
-d ch1.grzhost.com

Note: I was able to get my credentials file from Google, and renamed the file the above name.
I also verfied this was for the DNS services account, and created a second set of credentials with the same results.

At the end of the help request is a piece of the letsencrypt log file.
Look like I’m getting a forbidden response and the managed zone is not found.

When I run (from a browser): https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.

I get:
“error”: {
“errors”: [
“domain”: “global”,
“reason”: “required”,
“message”: “Login Required”,
“locationType”: “header”,
“location”: “Authorization”
“code”: 401,
“message”: “Login Required”

When I look at my manages zones in my Cloud Shell console I get:
gcloud dns managed-zones list
ch1-grzhost-com ch1.grzhost.com.

The https://www.googleapis.com/discovery/v1/apis/dns/v1/rest and

both returned reasonable looking data.

Please let me know what I’m doing wrong, or what permissions I’m missing.
Regarding permission, for testing, I have give all permissions to my account, just trying to make sure
I can get things to work, before tightening thins up.

-----dns-google p
Following is a piece of the log file that shows my error.

2018-05-19 02:20:50,072:DEBUG:acme.client:Storing nonce: GZsysNmF1OH8iiYbtFWyukJjTjN3Plbh63TbySe9HUE
2018-05-19 02:20:50,073:INFO:certbot.auth_handler:Performing the following challenges:
2018-05-19 02:20:50,073:INFO:certbot.auth_handler:dns-01 challenge for ch1.grzhost.com
2018-05-19 02:20:50,079:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2018-05-19 02:20:50,304:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.

2018-05-19 02:20:50,304:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2018-05-19 02:20:50,308:DEBUG:oauth2client.crypt: …
2018-05-19 02:20:50,308:INFO:oauth2client.client:Refreshing access_token
2018-05-19 02:20:50,760:WARNING:googleapiclient.http:Encountered 403 Forbidden with reason “forbidden”
2018-05-19 02:20:50,761:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 73, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/local/lib/python2.7/dist-packages/certbot_dns_google/dns_google.py”, line 70, in _perform
self._get_google_client().add_txt_record(domain, validation_name, validation, self.ttl)
File “/usr/local/lib/python2.7/dist-packages/certbot_dns_google/dns_google.py”, line 113, in add_txt_record
zone_id = self._find_managed_zone_id(domain)
File “/usr/local/lib/python2.7/dist-packages/certbot_dns_google/dns_google.py”, line 275, in _find_managed_zone_id
PluginError: Encountered error finding managed zone: <HttpError 403 when requesting
returned “Forbidden”>


I just noticed the reply from google was error login required. I thought the certificate gave all the information to the dns-google plug to do the login. What am I missing?


I myself don’t use the Google DNS plugin, but there’s a specific documentation page about it, including information about the credentials et c.: https://certbot-dns-google.readthedocs.io/en/latest/

I would suggest reading it from top to bottom and verify everything on your setup.


Thanks for the advice. I’ve been reading, reading, and re-reading the doc and digging in as much as I can.
I found a site: https://russt.me/2018/04/wildcard-lets-encrypt-certificates-with-certbot/

that has some pretty explicit instructions. I noticed that he had DNSSEC checked.

I’m going down that rabbit hole now. I have GoDaddy as my registrar.

I have verified my DNSSEC records:

ns-cloud-b1.googledomains.com. has DNSSEC data for ch1.grzhost.com

ns-cloud-b2.googledomains.com. has DNSSEC data for ch1.grzhost.com

ns-cloud-b3.googledomains.com. has DNSSEC data for ch1.grzhost.com

ns-cloud-b4.googledomains.com. has DNSSEC data for ch1.grzhost.com

Negative cache for ch1.grzhost.com expires after 300 seconds.

And I have placed all the DS info into the GoDaddy DS record form.

Now I can not longer access my any machines in my sub-domain.

Like I said, going down the rabbit hole…

I’ll post what I find when I get things to work.



You need to delete the DS record.

All of grzhost.com. is bogus at the moment.

To enable DNSSEC for ch1.grzhost.com., a DS record with the name ch1 has to be set in the grzhost.com. zone.

Instead, there’s a DS record named grzhost in the com., zone, so validating resolvers expect the grzhost.com. zone to be signed – with that key – which it isn’t.


If you want to enable DNSSEC, since grzhost.com. and ch1.grzhost.com. are separate zones, it has to be done in two steps.

GoDaddy’s DNS service offers DNSSEC (though it’s not enabled on grzhost.com.) but I’m not sure it allows you to create DS records to secure child zones.


Thank you very much.
Yes, grzhost.com is now toast.

There is no way to set a named DS record. I have deleted the record I created, the domain is still toast.

I used the registrar information from Google. I really don’t know what GoDaddy wanted, but clearly it was not this

This is a test domain, with very few records. I get the basic domain working again. GoDaddy support just assign the domain to a different DNS server then back to their servers to reset the domain.

My next step is to get a domain name from google and see if I can get the DNSSEC to work with it, then try again with Lets Encrypt.

thanks again for you help,



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.